Systemd script
Josep Manel Andrés
josep.andres at bsc.es
Fri Feb 19 11:13:48 UTC 2016
Hi Harald,
Thanks, but I suspect those are the files that come with the default
system installation, but not usable (without modifications) if I have
compiled it from source. Am I right?
Cheers.
On 19/02/16 12:02, Reindl Harald wrote:
>
>
> Am 19.02.2016 um 11:45 schrieb Josep Manel Andrés:
>> I have just compiled bind-9.9.8-P3 on SLES12 and tried to adapt the init
>> script we where using on SLES11SP3, but it doesn't seem to work, since
>> the new version of bind needs to get some libraries copied into the
>> chroot environment, that's why I am trying to adapt the systemd script
>> that comes with the version from repos on SLES 12 but so far I didn't
>> get it working.
>>
>> Does anyone has a systemd or init script that works for bind-9.9.8-P3 ?
>>
>> What would be the correct procedure to run named as daemon?
>
> Fedora contains systemd-units for a long time now
> _______________________________________________________________________
>
> [root at srv-rhsoft:~]$ cat /etc/systemd/system/named.service
> [Unit]
> Description=DNS Server
> After=network.service systemd-networkd.service network-online.target
> network-wan-bridge.service network-wlan-bridge.service openvpn.service
>
> [Service]
> Type=simple
> ExecStartPre=/usr/libexec/setup-named-chroot.sh /var/named/chroot on
> ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot -z
> /etc/named.conf
> ExecStart=/usr/sbin/named -4 -f -u named -t /var/named/chroot
> ExecReload=/usr/bin/kill -HUP $MAINPID
> ExecStop=/usr/bin/kill -TERM $MAINPID
> ExecStopPost=/usr/libexec/setup-named-chroot.sh /var/named/chroot off
> PrivateTmp=yes
> PrivateDevices=yes
> TimeoutSec=25
> Restart=always
> RestartSec=1
> CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_SYS_ADMIN
> CAP_DAC_OVERRIDE CAP_KILL CAP_NET_ADMIN CAP_NET_BIND_SERVICE
> CAP_NET_BROADCAST CAP_NET_RAW CAP_IPC_LOCK CAP_SYS_CHROOT
> ReadOnlyDirectories=/etc
> ReadOnlyDirectories=/usr
> ReadOnlyDirectories=/var/lib
> InaccessibleDirectories=-/root
> InaccessibleDirectories=-/media
> InaccessibleDirectories=-/boot
> InaccessibleDirectories=-/home
> InaccessibleDirectories=-/run/console
> InaccessibleDirectories=-/run/dbus
> InaccessibleDirectories=-/run/lock
> InaccessibleDirectories=-/run/mount
> InaccessibleDirectories=-/run/systemd/generator
> InaccessibleDirectories=-/run/systemd/system
> InaccessibleDirectories=-/run/systemd/users
> InaccessibleDirectories=-/run/udev
> InaccessibleDirectories=-/run/user
> InaccessibleDirectories=-/var/lib/dbus
> InaccessibleDirectories=-/var/lib/rpm
> InaccessibleDirectories=-/var/lib/systemd
> InaccessibleDirectories=-/var/lib/yum
> InaccessibleDirectories=-/var/spool
>
> [Install]
> WantedBy=multi-user.target
> _______________________________________________________________________
>
> [root at srv-rhsoft:~]$ cat /usr/libexec/setup-named-chroot.sh
> #!/bin/bash
>
> ROOTDIR_MOUNT='/etc/localtime /etc/named /etc/pki/dnssec-keys
> /etc/named.root.key /etc/named.conf
> /etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf
> /etc/rndc.key
> /usr/lib64/bind /usr/lib/bind /etc/named.iscdlv.key /run/named /var/named
> /etc/crypto-policies/back-ends/bind.config'
>
> usage()
> {
> echo
> echo 'This script setups chroot environment for BIND'
> echo 'Usage: setup-named-chroot.sh ROOTDIR [on|off]'
> }
>
> if ! [ "$#" -eq 2 ]; then
> echo 'Wrong number of arguments'
> usage
> exit 1
> fi
>
> ROOTDIR="$1"
>
> # Exit if ROOTDIR doesn't exist
> if ! [ -d "$ROOTDIR" ]; then
> echo "Root directory $ROOTDIR doesn't exist"
> usage
> exit 1
> fi
>
> mount_chroot_conf()
> {
> if [ -n "$ROOTDIR" ]; then
> for all in $ROOTDIR_MOUNT; do
> # Skip nonexistant files
> [ -e "$all" ] || continue
>
> # If mount source is a file
> if ! [ -d "$all" ]; then
> # mount it only if it is not present in chroot or it is empty
> if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"`
> -eq 0 ]; then
> touch "$ROOTDIR$all"
> mount --bind "$all" "$ROOTDIR$all"
> fi
> else
> # Mount source is a directory. Mount it only if directory in
> chroot is
> # empty.
> if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
> mount --bind --make-private "$all" "$ROOTDIR$all"
> fi
> fi
> done
> fi
> }
>
> umount_chroot_conf()
> {
> if [ -n "$ROOTDIR" ]; then
> for all in $ROOTDIR_MOUNT; do
> # Check if file is mount target. Do not use /proc/mounts because
> detecting
> # of modified mounted files can fail.
> if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
> umount "$ROOTDIR$all"
> # Remove temporary created files
> [ -f "$all" ] && rm -f "$ROOTDIR$all"
> fi
> done
> fi
> }
>
> case "$2" in
> on)
> mount_chroot_conf
> ;;
> off)
> umount_chroot_conf
> ;;
> *)
> echo 'Second argument has to be "on" or "off"'
> usage
> exit 1
> esac
>
> exit 0
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Josep Manel Andrés (josep.andres at bsc.es)
Operations - Barcelona Supercomputing Center
C/ Jordi Girona, 31 http://www.bsc.es
08034 Barcelona, Spain Tel: +34-93-405 42 14
e-mail: systems at bsc.es Fax: +34-93-413 77 21
-----------------------------------------------
WARNING / LEGAL TEXT: This message is intended only for the use of the
individual or entity to which it is addressed and may contain
information which is privileged, confidential, proprietary, or exempt
from disclosure under applicable law. If you are not the intended
recipient or the person responsible for delivering the message to the
intended recipient, you are strictly prohibited from disclosing,
distributing, copying, or in any way using this message. If you have
received this communication in error, please notify the sender and
destroy and delete any copies you may have received.
http://www.bsc.es/disclaimer
More information about the bind-users
mailing list